One more topic to cover is managing compliance across your Microsoft cloud Enterprise environment. Read more about tenant-level license compliance and technical realization hints.

License compliance

When I talk to other tech people about Microsoft technologies, licensing is often a part where it's get confusing. - Well to be honest, it is. - however there is a way to get a general knowledge and impression about how these services are licensed. And a complex license model isn't always just pain. Microsoft gives a bunch of license types that hold most important features for a certain product range. This summary is what I personally use: (don't be shocked if you see this the first time)

Source: Aaron Dinnage (also take a look to the original PDF document to use the embedded links that lead to more information)

Enterprise License suites

Office 365 components are the Office Suite (installment as well as SaaS apps)

Enterprise Mobility + Security products help to make your enterprise mobile (expand to the cloud with new technologies) but also offer parts of security

Windows 10 are mainly Windows 10 features and Windows Virtual Desktop

Microsoft 365 is a bundle of Office 365, Enterprise Mobility + Security and Windows 10

E3 vs. E5 vs F3

All mentioned license packages are available on different levels. The most relevant (from my experience) are E3, E5 and F3 (originally F1). What you need to know is that E3 is a raise of F3 and E5 is an elevated version of E3.

F3 are cheapest of all and have a slimmed down feature range.

E3 provide a basic set of products with some extra features.

E5 licenses are aimed at customers who are cloud-native and expect the highest possible performance from Microsoft products. In general, you can say that E5 simply has more security features and products to use. (this is the dream for all Microsoft nerds)

Then we also got Azure AD related license types:

Azure AD Premium Plan 1 offer identity products inside Azure AD.

Azure AD Premium Plan 2 elevated identity security products inside Azure AD.

Please keep in your mind that there are a lot of other license packages in addition to the mentioned licenses.

Architectural hints how to deal with E5 license compliance for some Intune related products

During my work with Intune I've came across some extended security products that I wanted to test out and are compatible with Intune. Use this if you have E3 but also E5 users in your tenant.

Defender for Endpoints (originally MDATP)

Ever wanted more out of Microsoft Defender? Defender for Endpoints requires a sensor installed on the Windows 10 endpoint which can send data to the Defender Security Center. Well the easiest way to go is to only install the sensor (or apply a device configuration profile) to only endpoints that are associated to a user with an E5 license.


But what if this is not possible? Assumed you would have all clients imported you could filter with device groups. Navigate to Defender Security Center and then into the settings. Create a new device group and select an automation level. For E3 clients you can choose no automated response, which means that Defender for Endpoint is just collecting data but not doing any remediation or response.


Microsoft Cloud App Security

MCAS serves as CASB (cloud access security broker) and uses data from the Defender for Endpoint sensor - I love it. You can also feed it with firewall logs but this would need some type of automation to always have up to date information.

To use this feature you can take a scoped deployment found in the the MCAS portal in settings>scoped deployment and privacy. Now import a user group from Azure AD and add it to the in- or exclusion.

You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.